MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 903bfcbe2d85143ad723b47ed1edc96f5416fa3b584fe76e74d75e93ff4b2e64. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 17


Intelligence 17 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 903bfcbe2d85143ad723b47ed1edc96f5416fa3b584fe76e74d75e93ff4b2e64
SHA3-384 hash: 5c4e3f7d29ff66f36a80595306d6594c6deb9d82bf28d02e4ef029ddd4ac8f0f76f9e2073681d2e3ba4b344b9dbdc63c
SHA1 hash: 2f335f8791e3effef43c8f3441d9573f70ea22e9
MD5 hash: c178cb400a5d151c4e59640ca55b604a
humanhash: kansas-one-butter-mockingbird
File name:uzomazx.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'062'400 bytes
First seen:2023-08-27 09:49:44 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:j1u6u4RbJDAzdUqYyDim6cF56gemFZiPZHWxEGPnqdOp:jV9RbJwdtim6cF5sR2xEGPnqdO
Threatray 1'809 similar samples on MalwareBazaar
TLSH T19A357BCB2F310D84CB4F34715C8C1B8856923DA149F59CF22B75AB786D468BFA69227C
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon ce9c9496e4949c9c (73 x AgentTesla, 51 x SnakeKeylogger, 30 x Formbook)
Reporter dancho_danchev
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
252
Origin country :
BG BG
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
uzomazx.exe
Verdict:
Malicious activity
Analysis date:
2023-08-27 09:50:30 UTC
Tags:
formbook xloader stealer spyware
Link:
https://app.any.run/tasks/87d601cd-079c-4baf-ac59-879d1500a956

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.389-2.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Porcupine.Malware.58887.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Restart of the analyzed sample
Launching a process
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
formbook packed
Link:
https://www.filescan.io/uploads/64eb1c4c9ff753467d7fbfd9/reports/b8696be3-3adc-4948-b725-abf3d5147cfc/overview
Verdict:
Malicious
Labled as:
Malware.Generic
Link:
https://www.hybrid-analysis.com/sample/903bfcbe2d85143ad723b47ed1edc96f5416fa3b584fe76e74d75e93ff4b2e64
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0db32815-0edb-4f3d-9ddf-330cab8b5fe4
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1298173
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1298173 Sample: uzomazx.exe Startdate: 27/08/2023 Architecture: WINDOWS Score: 100 35 Snort IDS alert for network traffic 2->35 37 Multi AV Scanner detection for domain / URL 2->37 39 Found malware configuration 2->39 41 11 other signatures 2->41 10 uzomazx.exe 3 2->10         started        process3 signatures4 49 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 10->49 51 Tries to detect virtualization through RDTSC time measurements 10->51 53 Injects a PE file into a foreign processes 10->53 13 uzomazx.exe 10->13         started        process5 signatures6 55 Modifies the context of a thread in another process (thread injection) 13->55 57 Maps a DLL or memory area into another process 13->57 59 Sample uses process hollowing technique 13->59 61 Queues an APC in another process (thread injection) 13->61 16 explorer.exe 4 1 13->16 injected process7 dnsIp8 27 webers.site 81.169.145.156, 49777, 80 STRATOSTRATOAGDE Germany 16->27 29 td-ccm-neg-87-45.wixdns.net 34.149.87.45, 49758, 80 ATGS-MMD-ASUS United States 16->29 31 7 other IPs or domains 16->31 33 System process connects to network (likely due to code injection or exploit) 16->33 20 cmmon32.exe 16->20         started        signatures9 process10 signatures11 43 Modifies the context of a thread in another process (thread injection) 20->43 45 Maps a DLL or memory area into another process 20->45 47 Tries to detect virtualization through RDTSC time measurements 20->47 23 cmd.exe 1 20->23         started        process12 process13 25 conhost.exe 23->25         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/903bfcbe2d85143ad723b47ed1edc96f5416fa3b584fe76e74d75e93ff4b2e64/
Threat name:
ByteCode-MSIL.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2022-11-22 18:59:11 UTC
File Type:
PE (.Net Exe)
Extracted files:
15
AV detection:
26 of 38 (68.42%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=sa57zprnqukdvvzdwr7nd3ojn5kbn6r3lbh6o3tu25pjh72lfzsa._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
agenttesla
Create hunting rule
Similar samples:
23c96a140db8d8bf5c14a2bf811ab8e22f93bf283179ebefeee31907b5067618
AgentTesla
3c9009eeffcaac6b1e45e26ed3d7c399b42d9a9507cc56ddec477c399a3d9b2f
AgentTesla
9a11023aa7479ba614e1287f7acba0822e95d707810eb9165cf994742d5eb34f
AgentTesla
9b4df9f66fdc83879d2ce5c5077f51e0ca02af50050fdeaccaca982bc0c59b52
AgentTesla
af2338dccdb59d40b3e6fbde008f3fad793ae9910fc3f2210bf6e9a311bd8044
AgentTesla
b13ad44ebdbdc53068e26d7aa84805bc1a4550a37c750ed726aee47cd692bb7a
AgentTesla
d567ffff91f307d87ca82e14ea8665a30486c9ba132756ffa468035f8ad7af69
AgentTesla
e25899bad9933c1b9676b0f94e0ef4f2be4756ae298e737f3dc67fea2246e8f8
AgentTesla
e61660e229f87b61562735d3d6f44326329b5d9e659198d02de592402984b7c7
AgentTesla
+ 1'799 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:ua69 rat spyware stealer trojan
Link:
https://tria.ge/reports/230827-ltx18sgh42/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Formbook payload
Formbook
Unpacked files
SH256 hash:
7896b9ef17ddfdeab5e31831b99e568c03cbd31a05db8fe6dc59b9e9e6669d58
MD5 hash:
12a9d91ba40e97b6f09118f7095e297d
SHA1 hash:
2862fec520df1b047f47f7966fc5d08cac3cdff9
Detections:
FormBook
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/4b6c1044-5832-42e9-aaac-dc44317d5463/
Parent samples :
e61660e229f87b61562735d3d6f44326329b5d9e659198d02de592402984b7c7
3c9009eeffcaac6b1e45e26ed3d7c399b42d9a9507cc56ddec477c399a3d9b2f
23c96a140db8d8bf5c14a2bf811ab8e22f93bf283179ebefeee31907b5067618
af2338dccdb59d40b3e6fbde008f3fad793ae9910fc3f2210bf6e9a311bd8044
903bfcbe2d85143ad723b47ed1edc96f5416fa3b584fe76e74d75e93ff4b2e64
SH256 hash:
807253a550c2d66e42ab7b8a893c149b9e0a955079c545562a38c155845d328c
MD5 hash:
0b7602cd58dcf5461352ae19cf23d68d
SHA1 hash:
d8c2f4409a2b1687e7c42d4d9feea93c951b7143
Link:
https://www.unpac.me/results/4b6c1044-5832-42e9-aaac-dc44317d5463/
SH256 hash:
d338485781a0ad4b6bd01f436c9cec664c5166dcdaa10f934b3893574a4e55d7
MD5 hash:
ac8b465cc234b98b89b7782acbba418a
SHA1 hash:
8ae28a309607f2dbca3995d7fc1ededcc95ca397
Link:
https://www.unpac.me/results/4b6c1044-5832-42e9-aaac-dc44317d5463/
SH256 hash:
cfc16a2dbb933b1b85807d48966e9301b9fc34f4c44e7357713ca88b54bf4ab4
MD5 hash:
aabd0bdc81026ade6c57383f21d5c227
SHA1 hash:
4b26936bb8c03be6d7963184215a5ab594ecb765
Link:
https://www.unpac.me/results/4b6c1044-5832-42e9-aaac-dc44317d5463/
SH256 hash:
d3564fe3774198dcf37d0b6182ae78722d9a4053afe1c55271c8459a44d56038
MD5 hash:
bd09cbf7f491da0038d98accaaf03bab
SHA1 hash:
446cabb1103236c28ca329634672129f307ffd29
Link:
https://www.unpac.me/results/4b6c1044-5832-42e9-aaac-dc44317d5463/
SH256 hash:
903bfcbe2d85143ad723b47ed1edc96f5416fa3b584fe76e74d75e93ff4b2e64
MD5 hash:
c178cb400a5d151c4e59640ca55b604a
SHA1 hash:
2f335f8791e3effef43c8f3441d9573f70ea22e9
Link:
https://www.unpac.me/results/4b6c1044-5832-42e9-aaac-dc44317d5463/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/903bfcbe2d85/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/903bfcbe2d85143ad723b47ed1edc96f5416fa3b584fe76e74d75e93ff4b2e64

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 903bfcbe2d85143ad723b47ed1edc96f5416fa3b584fe76e74d75e93ff4b2e64

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2403539/

Comments